<aside> 🧰 Scan Nmap
</aside>
With nmap we identify the webserver webmin running on 10.200.105.200:10000 with https://github.com/MuirlandOracle/CVE-2019-15107 or metasploit, we can break through and get access to the machine as root.
As root, we can now retrieve the hashes of each user on the machine, the important ones being root and twreath.
root:$6$i9vT8tk3SoXXxK2P$HDIAwho9FOdd4QCecIJKwAwwh8Hwl.BdsbMOUAd3X/chSCvrmpfy.5lrLgnRVNq6/6g0PxK9VqSdy47/qKXad1:0:0:root:/root:/bin/bash
twreath:$6$0my5n311RD7EiK3J$zVFV3WAPCm/dBxzz0a7uDwbQenLohKiunjlDonkqx1huhjmFYZe0RmCPsHmW3OnWYwf8RWPdXAdbtYpkJCReg.:1000:1000:Thomas Wreath:/home/twreath:/bin/bash
we can try to crack them with john
Cracking /etc/shadow with John
john --wordlist=/usr/share/wordlists/rockyou.txt psswrd.txt
Unfortunately, we can’t crack them, but if we look in /root/.ssh/id_rsa there’s a private key that much likely gives access to the machine with ssh.
Let set chmod 600 to the file to make it private and then connect with ssh.
ssh -i id_rsa [email protected]
